Step 4. Define Microsoft Defender XDR roles, responsibilities, and oversight


Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

  • Microsoft Defender XDR

Your organization must establish ownership and accountability of the Microsoft Defender XDR licenses, configurations, and administration as initial tasks before any operational roles can be defined. Typically, the ownership of the licenses, subscription costs, and administration of Microsoft 365 and Enterprise Security + Mobility (EMS) services (which may include Microsoft Defender XDR) fall outside the Security Operations Center (SOC) teams. SOC teams should work with those individuals to ensure proper oversight of Microsoft Defender XDR.

Many modern SOCs assign its team members to categories based on their skillsets and functions. For example:

  • A threat intelligence team assigned to tasks related to lifecycle management of threat and analytics functions.
  • A monitoring team comprised of SOC analysts responsible for maintaining logs, alerts, events, and monitoring functions.
  • An engineering & operations team assigned to engineer and optimize security devices.

SOC team roles and responsibilities for Microsoft Defender XDR would naturally integrate into these teams.

The following table breaks out each SOC team's roles and responsibilities and how their roles integrate with Microsoft Defender XDR.

SOC team Roles and responsibilities Microsoft Defender XDR tasks
SOC Oversight
  • Performs SOC governance
  • Establishes daily, weekly, monthly processes
  • Provides training and awareness
  • Hires staff, participates in peer groups and meetings
  • Conducts Blue, Red, Purple team exercises
  • Microsoft Defender portal access controls
  • Maintains feature/URL and licensing update register
  • Maintains communication with IT, legal, compliance, and privacy stakeholders
  • Participates in change control meetings for new Microsoft 365 or Microsoft Azure initiatives
Threat Intelligence & Analytics
  • Threat intel feed management
  • Virus and malware attribution
  • Threat modeling & threat event categorizations
  • Insider threat Attribute development
  • Threat Intel Integration with Risk Management program
  • Integrates data insights with data science, BI, and analytics across HR, legal, IT, and security teams
    • Maintains Microsoft Defender for Identity threat modeling
    • Maintains Microsoft Defender for Office 365 threat modeling
    • Maintains Microsoft Defender for Endpoint threat modeling
    • Tier 1, 2, 3 analysts
    • Log source maintenance and engineering
    • Data source ingestion
    • SIEM parsing, alerting, correlation, optimization
    • Event and alert generation
    • Event and alert analysis
    • Event and alert reporting
    • Ticketing system maintenance
    • Security & Compliance Center
    • Microsoft Defender portal
    Engineering & SecOps
    • Vulnerability management for apps, systems, and endpoints
    • XDR/SOAR automation
    • Compliance testing
    • Phishing and DLP engineering
    • Engineering
    • Coordinates change control
    • Coordinates runbook updates
    • Penetration testing
      • Microsoft Defender for Cloud Apps
      • Defender for Endpoint
      • Defender for Identity
      Computer Security Incident Response Team (CSIRT)
      • Investigates and responds to cyber incidents
      • Performs forensics
      • May often be isolated from SOC
      Collaborate and maintain Microsoft Defender XDR incident response playbooks

      Next step

      Step 5. Develop and test use cases


      Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.